Protecting consumer data in the Internet of Things

Eric Vanderburg

The Internet community grows larger every day as more and more devices attach to it. These devices increasingly include, not computing devices, but everyday things such as HVAC systems, lighting, pumps, and even animals. We are at the beginning of a new age where items in the physical world can be monitored, controlled, automated and interacted with in ways never seen before. We refer to this as the Internet of Things (IoT) and many companies are looking at way to best utilize this technology.

IoT is currently used in a widespread distribution of industries. Sensors embedded in components can report when they fail or are about to fail. IoT is used to control the color and illumination level of lights and in other home automation scenarios. Some have already combined IoT technologies such as the new video game, Chariot, that can change the lighting in your room according to what is happening in the game.

IoT allows for those using augmented reality such as Google Glass, Microsoft HoloLens and other tools to obtain more information about the things around them. Robots can also take advantage of this data to better interact with their surroundings. This is certainly an exciting time, but we also must be concerned because as we push the boundaries of “what can be done,” we need to ask “what should be done.”

To understand the security behind IoT, we must first understand that IoT is really about collecting more data from more devices. That data may be used to perform all these wonderful things, but it can seriously diminish privacy unless the use of such data is governed.

Consumers may help drive change

The first item of concern is data ownership. Who owns the data that is collected by so many devices? Is it the person who owns the device, the person who is wearing the device, the person who designed the device, or all those interacting with the device? For example, if a rental car collects data on how fast a person drives, is that the data of the driver, rental company, software/hardware vendor, or the state? If currency is tagged with location data, is that data the property of the treasury and does the user of the money have any say in how that data is used? A serious dialogue is needed to resolve these issues.

Second, securing IoT will require more specific privacy policies and pressure from consumers for companies to use their data only for providing the services that they opt in for. Furthermore, private data should be removed once the need for it in providing these services has expired. On the flip side, companies can get ahead of this curve and generate goodwill and a positive customer experience by enacting such policies and demonstrating adherence to their customers.

Of course, this assumes that the average user cares about his privacy and data protection. The readers of this article are most likely more concerned with their privacy than the average Internet user, and this is precisely the problem because a critical mass is needed to affect changes. Companies will sell the products and services they see are in demand by the majority of individuals while others may or may not be served as a niche market. Overall change will not happen unless enough people express their concern and influence companies through the selection of products and services based on its ability to protect their privacy.

Action needs to take place now while IoT is still in its infancy. As we have seen time and time again, it is much harder to protect information after it has been collected, sold and distributed, and possibly stolen by other individuals.